Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 2184 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Do I need to use auto added Firewall rule for SMTP scanning?

jek

Hi,

I am prepairing configuration to use XGS as MTA and I have some questions which I don't find answers to. 

Current situation:

External MX and MAIL-out server are used, Exchange is set up locally.

We have /24 public IPs on that site and only one IP is on the Firewall's WAN interface. All other IPs that are in use (including the one for Exchange), are routed to FW WAN interface and then NATed. The aliases are not added.

To be:

I am planning to use Exchange's public IP for MX record and would like to use existing Firewall rules (one for inbound and one for outbound) and NAT if it is possible. Would adding SMTP and SMTPS scans to existing two rules work?

If not, and I need to use the autocreated rule, I would need to change that rule, not to catch too much SMTP traffic, as this is not the only SMTP traffic on that Firewall. So, the question is how to catch only and all the traffic, inbound and outbound, sent to and sent from a speciffic server in one rule? The only option i see is to set as source and destination network all public IPs and Exchange internal IP.

For now I am not planning to add IMAP and POP scanning, but if later I decide to do it, do I again need to use the same autocreated rule?

As I understood from some articles as this one here, there always needs to be used the autocreated rule. What is the use of "Scan SMTP" in other rules then?

Also I don't find the information, if it is necessary to have MX IP added as an alias on the interface. Article don't mention configuration when IP is only NAT-ed and without an alias. And if I add one of the NATed IPs as an alias, I was told that I will probably need to add all of them to keep everything working. Is that true?

That are a few questions I'd like to know answers to, before I start rerouting SMTP traffic. I am sure more of them will arise when the work starts Slight smile

Thank you in advance for the answers!



This thread was automatically locked due to age.
Parents
  • 0

    doc.sophos.com/.../index.html <- what you have to do (on the firewall)

    - in your case (legacy mode) the auto-created rule is not needed
    - MTA mode would also work but if you just wanna send/receive mails with a mailserver + protection from/to WAN, legacy mode fits better you (and is ez to setup)
    - you don't need an alias if you can reach the firewall via a public IP address, of course you can add an alias if you wanna send/receive mails via a dedicated public IP address (in the end the MX record(s) are telling the sender where SMTP service is)

    Maybe you should inform about things like MX, SPF, A-Record, rDNS, HELO before, if you wanna send/receive mails directly via on-prem server (like a big mail-hosting service).

  • 0 in reply to Quallensaft

    Thank you for the answer!

    I didn't really check the possibilities, that offers the transparent mode, because I don't believe it can offer me some of the features I need, like DKIM signing and BATV. And also I'd like to try how it behaves as MTA, configure different policies for different domains and route them into different zones. 

    So if i stay on MTA mode, is then auto created rule needed, or can I replace it with some other FW rule?

    About that alias: the traffic is already being sent to and recieved from that dedicated public IP address, as our current mail filters are outside our network and are using this IP for SMTP traffic. What I am wondering is if Firewall will answer EHLO sent to IP, which is not residing on it. Ofcourse I can just try it, but it's a live system and I don't want to cause more downtime than is necessary.

  • +1 in reply to jek

    - then you need MTA mode of course
    - MTA mode need the auto-rule -> all SMTP traffic from/to will use the firewall interface IP as sender (e.g. your primary public IP) or the internal interface IP to your exchange (so in the end it just does MASQ the IP for SMTP like you can see it in the rule)
    - the firewall is default accepting SMTP on all interface/addresses of the zones you enabled in SMTP Relay -> Administration -> Device access -> Local service ACL -> SMTP Relay in the zones
    - for outgoing SMTP to WAN the primary WAN IP will be the default sender address, for dedicated IP you will need to create a new S-NAT (your alias IP) to WAN rule for SMTP on top of the default rule

Reply
  • +1 in reply to jek

    - then you need MTA mode of course
    - MTA mode need the auto-rule -> all SMTP traffic from/to will use the firewall interface IP as sender (e.g. your primary public IP) or the internal interface IP to your exchange (so in the end it just does MASQ the IP for SMTP like you can see it in the rule)
    - the firewall is default accepting SMTP on all interface/addresses of the zones you enabled in SMTP Relay -> Administration -> Device access -> Local service ACL -> SMTP Relay in the zones
    - for outgoing SMTP to WAN the primary WAN IP will be the default sender address, for dedicated IP you will need to create a new S-NAT (your alias IP) to WAN rule for SMTP on top of the default rule

Children
No Data
Unfiltered HTML